Home/ Questions/Q 9177113
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T17:15:23+00:00

I have created simple SSL client server program and in that program I am

  • 0

I have created simple SSL client server program and in that program I am using self signed certificate which are created with my own local CA according to the help on https://help.ubuntu.com/community/OpenSSL

So I have my CA certificate and private key. Server certificate signed by my CA and Serve private key. Client certificate signed by my CA and Client private key.

Now following is the code part of client server program which shows the loading of certificate and SSL handshake.

Server:

SSL_library_init();
ctx = InitServerCTX(); /* initialize SSL */
LoadCertificates(ctx, "server_crt.pem", "server_key.pem"); /* load certs */
SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL);
//SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0);
SSL_CTX_set_verify_depth(ctx, 1);
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file("cacert.pem"));
server = OpenListener(atoi(portnum)); /* create server socket */
while (1)
{
    struct sockaddr_in addr;
    int len = sizeof(addr);
    SSL *ssl;

    int client = accept(server, (struct sockaddr*) &addr, &len); /* accept connection as usual */
    printf("Connection: %s:%d\n", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
    ssl = SSL_new(ctx); /* get new SSL state with context */
    SSL_set_fd(ssl, client); /* set connection socket to SSL state */
    Servlet(ssl); /* service connection */
}

Client:

SSL_library_init();
ctx = InitCTX();
LoadCertificates(ctx, "client_crt.pem", "client_key.pem"); /* load certs */
SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL);
SSL_CTX_set_verify_depth(ctx, 1);
server = OpenConnection(hostname, atoi(portnum));
ssl = SSL_new(ctx); /* create new SSL connection state */
SSL_set_fd(ssl, server); /* attach the socket descriptor */
if (SSL_connect(ssl) != 1) /* perform the connection */
    ERR_print_errors_fp(stderr);
else
{
    char *msg = "This is Darshan";

    printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
    ShowCerts(ssl); /* get any certs */
    SSL_write(ssl, msg, strlen(msg)); /* encrypt & send message */
    bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
    buf[bytes] = 0;
    printf("Received: \"%s\"\n", buf);
    SSL_free(ssl); /* release connection state */
}

Now when I run this programs I get error like below in Client:

3073476808:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1248:SSL alert number 43

Why I am getting this error ? My certificates are ok and both client and server certificates are signed by my CA. Please help me in finding error.

Certificate of Client:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
    Issuer: CN=My Root Certificate Authority, ST=somestate, C=IN/emailAddress=xyz@xyz.com, O=XYZ Ltd., OU=Department
    Validity
        Not Before: Jan 18 07:50:30 2013 GMT
        Not After : Jan 17 07:50:30 2018 GMT
    Subject: CN=localhost, ST=somestate, C=IN/emailAddress=abc@abc.com, O=ABC Ltd., OU=Software Department
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (1024 bit)
            Modulus:
                00:c1:1e:ea:56:d9:44:05:28:cb:4e:cd:85:88:9a:
                8e:8d:77:d7:80:92:7c:b5:20:89:31:45:2a:73:72:
                5d:d2:01:3c:1d:18:2e:c2:72:56:4d:84:f4:21:ae:
                55:d6:b5:5c:58:9a:3b:48:2c:9e:05:a4:ee:af:b7:
                f4:42:ef:54:9c:a1:bc:a9:b5:53:dc:69:90:d2:df:
                c0:e0:09:d5:e4:d4:08:a8:f2:76:1b:c5:0d:c9:13:
                eb:ba:76:09:a2:67:38:cc:d8:6d:44:51:78:39:03:
                b4:a4:a1:73:ec:d4:7d:c3:06:4b:64:6b:f7:14:d3:
                1c:c9:e4:db:cc:82:5c:94:fb
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Alternative Name: 
            DNS:www.example.com
        X509v3 Basic Constraints: 
            CA:FALSE
        Netscape Cert Type: 
            SSL Server
Signature Algorithm: md5WithRSAEncryption
     ba:76:2c:2a:15:f3:98:32:86:60:dc:2a:a9:a6:a8:ca:e6:a7:
     74:d8:8f:0e:b2:ad:00:ef:fc:13:74:26:75:12:fa:af:4f:55:
     61:75:34:77:8c:37:b9:58:ab:ee:71:9b:6d:3c:10:ab:f0:20:
     73:89:7c:5c:e2:df:82:21:96:b4:91:5a:9b:f8:10:6a:4b:01:
     06:7e:b6:26:bc:c1:80:21:85:d9:7f:0b:56:a3:89:5e:e1:f4:
     31:d1:c9:be:a3:39:d5:51:0a:3e:b9:27:fb:82:5f:d1:24:40:
     f0:84:a4:f9:bc:23:11:fb:65:ad:d5:bc:2e:23:a0:5c:0f:58:
     a5:8b:38:f6:0c:52:65:f1:84:29:be:dd:77:73:2b:3c:b6:4c:
     4e:87:3f:38:45:48:b2:50:24:7a:06:fe:ac:79:bf:04:88:d6:
     5d:4b:38:f9:25:90:c9:e4:d6:7d:6b:1c:9a:78:10:5a:42:43:
     8d:26:08:6e:f9:34:e1:8f:2f:bb:33:d5:96:b6:2a:35:75:c1:
     e5:f2:b9:3d:8a:0d:49:e8:00:3c:08:03:5a:97:e2:79:4b:1a:
     9c:98:5c:ba:8b:5b:44:5c:a3:0e:6f:d5:af:5a:9e:88:4e:2e:
     fe:91:ae:95:83:75:68:71:04:e5:99:1b:3e:bc:a6:cf:84:2f:
     98:78:25:33

—–BEGIN CERTIFICATE—–
MIIDiDCCAnCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBtzEsMCoGA1UEAxMjSW52
aXhpdW0gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAgTB0d1amFy
YXQxCzAJBgNVBAYTAklOMSYwJAYJKoZIhvcNAQkBFhdkcHJhamFwYXRpQGludml4
aXVtLmNvbTEiMCAGA1UEChMZSW52aXhpdW0gQWNjZXNzIFB2dC4gTHRkLjEcMBoG
A1UECxMTRW1iZWRkZWQgRGVwYXJ0bWVudDAeFw0xMzAxMTgwNzUwMzBaFw0xODAx
MTcwNzUwMzBaMIGbMRAwDgYDVQQDEwdpeG0ud2ViMRAwDgYDVQQIEwdHdWphcmF0
MQswCQYDVQQGEwJJTjEmMCQGCSqGSIb3DQEJARYXZHByYWphcGF0aUBpbnZpeGl1
bS5jb20xIjAgBgNVBAoTGUludml4aXVtIEFjY2VzcyBQdnQuIEx0ZC4xHDAaBgNV
BAsTE1NvZnR3YXJlIERlcGFydG1lbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMEe6lbZRAUoy07NhYiajo1314CSfLUgiTFFKnNyXdIBPB0YLsJyVk2E9CGu
Vda1XFiaO0gsngWk7q+39ELvVJyhvKm1U9xpkNLfwOAJ1eTUCKjydhvFDckT67p2
CaJnOMzYbURReDkDtKShc+zUfcMGS2Rr9xTTHMnk28yCXJT7AgMBAAGjPTA7MBsG
A1UdEQQUMBKCEHd3dy5pbnZpeGl1bS5jb20wCQYDVR0TBAIwADARBglghkgBhvhC
AQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADggEBALp2LCoV85gyhmDcKqmmqMrmp3TY
jw6yrQDv/BN0JnUS+q9PVWF1NHeMN7lYq+5xm208EKvwIHOJfFzi34IhlrSRWpv4
EGpLAQZ+tia8wYAhhdl/C1ajiV7h9DHRyb6jOdVRCj65J/uCX9EkQPCEpPm8IxH7
Za3VvC4joFwPWKWLOPYMUmXxhCm+3XdzKzy2TE6HPzhFSLJQJHoG/qx5vwSI1l1L
OPklkMnk1n1rHJp4EFpCQ40mCG75NOGPL7sz1Za2KjV1weXyuT2KDUnoADwIA1qX
4nlLGpyYXLqLW0Rcow5v1a9anohOLv6RrpWDdWhxBOWZGz68ps+EL5h4JTM=
—–END CERTIFICATE—–

Client conf file:

#

example.cnf

#

[ req ]
prompt = no
distinguished_name = server_distinguished_name

[ server_distinguished_name ]
commonName = abc.com
stateOrProvinceName = NC
countryName = US
emailAddress = root@abc.com
organizationName = My Organization Name
organizationalUnitName = Subunit of My Large Organization

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It seems likely that the X.509 certificate presented by the server is not valid. Could you please post the result of a ‘openssl x509 -text -in your_cert_file’ ?

    I suspect that your certificate doesn’t have the “Web Server Authentication” usage set in the “x509v3 Extended Key Usage” extension.

    [edit]

    Looking at the certificate you posted, the Netscape Cert Type is wrong, it is set to “SSL Server” instead of “SSL Client”, if this is the client certificate.

    You may also want to set some v3 extensions like X509v3 Key Usage and X509v3 extended key usage, but it is not mandatory.

    If you are interested in the exact checks, you can read the OpenSSL related code in crypto/x509v3/v3purp.c

    [/edit]

    • 0